The purpose of the policy for personal data protection is to inform natural persons, service users, colleagues and employees, as well as other persons (hereinafter: natural persons) who cooperate with the Murska Sobota Prekmurje Museum, address: Trubarjev drevored 4, 9000 Murska Sobota (hereinafter referred to as “the Organization”) regarding the purpose and titles, security measures and the rights of natural persons in the processing of personal data by our Organization in the framework of e-documenta Pannonica project.
We value your privacy, so we always carefully protect your information.
Your personal data will be processed in accordance with European legislation (Regulation (EU) No 2016/697 on the protection of natural persons with regard to the processing of personal data and the flow of such data) (hereinafter the General Data Protection Regulation) and applicable legislation on the protection of personal data. (Act on Protection of Personal Data, ZVOP-1, SZK Off. Bull., No. 94/07) and other legal acts that provide a legal basis for the processing of personal data.
In the personal data protection policy statement, we inform natural persons about the way in which our Organization, as a data controller, handles personal data received from a natural person according to the legal bases described below.
Data Manager
The Organization that handles the personal data:
POMURSKI MUZEJ MURSKA SOBOTA (Prekmurje Museum Murska Sobota), address: Trubarjev drevored 4, SI-9000 Murska Sobota, Slovenia
Email: tajnistvo@pomurski-muzej.si
Phone: +386 2 527 17 06
Authorized person
In accordance with Article 37 of the General Data Protection Regulation, the following company has been appointed as Data Protection Officer:
DATAINFO.SI, d.o.o.
Tržaška cesta 85, SI-2000 Maribor
www.datainfo.si
Email: dpo@datainfo.si
Phone: +386 2 620 4 300.
Personal data
Personal data means any information relating to a given or identifiable person (hereinafter referred to as the natural person to whom the personal data relate); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, web identifier or one or more physical, physiological, genetic, intellectual, economic, cultural or social identity factors of that person.
Objectives and basis of data management
The Organization collects and processes your personal data on the following legal bases:
- the data processing is necessary to fulfill a legal obligation of the controller;
- the processing is necessary for the performance of a task carried out in the public interest or to exercise the official authority vested in the controller;
- the processing is necessary for the performance of a contract to which the natural person to whom the personal data relate is a party to or at the request of such a natural person for the performance of measures preceding the conclusion of the contract;
- the processing is necessary in the legitimate interests of the controller or of a third party;
- the natural person to whom the personal data relate has consented to the processing of their personal data for one or more specified purposes;
- - the processing is necessary in order to protect the vital interests of the natural person to whom the personal data relate or of another natural person.
Fulfillment of legal obligations and performance of tasks in the public interest
Under the provisions of the Act, the Organization primarily handles data about its employees, which is permitted by labor law. Thus, according to the legal obligation, the Organization mainly processes the following types of personal data: name and surname, gender, date of birth, EMŠO (personal identification number), tax ID, place of birth, settlement and country of residence, citizenship, place of residence for the purpose of fulfilling the employment contract and obligations under this title.
The legal basis for the processing of personal data of natural persons is also: Act on the Implementation of the Cultural Public Interest, Act on the Protection of Cultural Heritage, Act on Employment, Act on the Wage System in the Public Sector, Act on the Protection of Documents and Archive Materials, Act on the Provision of Funds, Act on Urgent Cultural Programs of the Republic of Slovenia and other legislation in the field of culture.
In some cases, the processing of personal data in the public interest is also permitted at the Organization.
Performance of the contract
In the case of a contract with the Organization, this constitutes a legal basis for the processing of personal data. We may process your personal data for the purpose of concluding and fulfilling a contract, such as ticket sales, museum events, etc. If a natural person does not provide personal data, the Organization cannot enter into a contract or provide services or deliver goods or other products in accordance with the contract because it does not have the necessary information to do so. Based on the performance of its legal activity, the Organization can inform natural persons and users of its services about its services, events, educational, offers and other content by e-mail. A natural person may at any time request the cessation of such communication and processing of personal data and unsubscribe from receiving messages with the unsubscribe link provided in the received message, or by sending an e-mail to tajnistvo@pomurski-muzej.si or by ordinary mail, which is sent by postal service to the address of the Organization.
Legitimate interest
The exercise of a legitimate interest is limited to the data management of public authorities in the performance of their duties. However, the Organization may also process personal data on the basis of a legitimate interest that the Organization exercises to a limited extent. The latter shall not be permitted if those interests are outweighed by the interests or fundamental rights and freedoms of the natural person concerned, which require the protection of personal data. In the event of exercising a legitimate interest, the Organization will always carry out a review in accordance with the General Data Protection Regulation.
Thus, from time to time, we may inform natural persons by e-mail, telephone and post about services, events, trainings, offers and other content. A natural person may, at any time, request the cessation of such communication and processing of personal data and unsubscribe from receiving messages with the unsubscribe link provided in the received message, or by sending an e-mail to tajnistvo@pomurski-muzej.si or by ordinary mail which is sent by postal service to the address of the Organization.
Data management on the basis of consent
If the Organization has no legal basis for public service task, legal obligation, contractual obligation or legitimate interest, it may request the consent of the natural person. Thus, the Organization may process certain personal data of the natural person for the following purposes, provided that consent of the natural person was given:
- place of residence and e-mail address for information and communication purposes,
- tax number or EMŠO (personal identification number) in case of non-fulfillment of obligations for possible enforcement (e.g. unsettled invoice),
- - photographs, videos and other content related to the natural person (e.g. recordings at public events) to document the activities and to inform the public about the work and events of the Organization;
- for other purposes to which the natural person consents.
If a natural person consents to the processing of personal data and at a given moment changes his or her mind, they can request the termination of the processing of personal data by an email to tajnistvo@pomurski-muzej.si or by ordinary letter to the address of the Organization.
Storage and deletion of personal data
The Organization will only store personal data for as long as is necessary to achieve its purpose of collecting and processing personal data. If the Organization manages the data in accordance with the law, the Organization shall store it for the period required by law. In doing so, some data are stored for the duration of cooperation with the Organization, and some data are stored long-term.
Personal data processed by the Organization under a contractual relationship with a natural person shall be stored by the Organization for the period necessary for the performance of the contract and shall be kept for 6 years after the contract termination, except in the event of a dispute between the natural person and the Organization. In that case, the Organization shall store the data for five years after the final decision of the court or arbitral tribunal has become final or the court settlement has become final, or for five years from the date of the amicable settlement of the dispute.
The natural person’s personal data processed by the Organization on the basis of personal consent or legitimate interest shall be stored by the Organization until the consent is withdrawn or the deletion of the data is requested. Upon receipt of a request for revocation or cancellation, the data shall be deleted within 15 days at the latest. The Organization may also delete these data before revocation if the purpose of processing the personal data has been achieved or if deletion is required by law.
Under exceptional circumstances, the Organization may refuse a request for deletion based on the General Data Protection Regulation, such as: exercising the right to freedom of expression and access to information, exercising the right of management, public health-related public interest, archiving in the public interest; scientific or historical research purposes, statistical purposes, implementation or protection of legal claims.
At the end of the storage period, the data controller actually and permanently deletes or anonymises the personal data so that they can no longer be linked to a specific person.
Contractual processing of personal data and export of data
The Organization may entrust the processing of personal data to a contractual data controller on the basis of a data processing contract. Contractual data controllers may process confidential data only on behalf of the data controller, within the limits of their authorization as set out in the written contract or other legal act and in accordance with the purposes set out in the data protection policy.
The contractual data manager with whom the service provider cooperates are primarily:
- accounting services and other legal and business consultants;
- infrastructure maintenance (video surveillance, security);
- maintainers of the information systems.
Under no circumstances will the Organization transfer the personal data of a natural person to an unauthorized third party.
Contractual data processors may process personal data only on the instructions of the Organization and may not use the personal data for any other purposes.
As a data controller, the Organization and its employees do not export personal data to third countries (outside the European Economic Area - EU member states, Iceland, Norway and Liechtenstein) and to international organizations other than the United States, in which case the contractual data managers in the United States use the Privacy Shield program. The Information Commissioner writes more about the EU-US Data Protection Shield: https://www.ip-rs.si/en/
Cookies
The Organization's website works with the help of so-called cookies. A cookie is a file that stores the settings of a site. Websites store cookies on the user’s device used to access the internet in order to identify the individual devices and settings that users used while accessing the site. Cookies allow websites to recognize if a user has already visited this website and, in the case of advanced applications, to adjust each setting accordingly. Their storage is under the full control of the browser used by the user - the user can restrict or disable the storage of cookies.
Cookies are essential to providing user-friendly online services. They store information about the status of each site, help collect statistics about users and site traffic, and more. Therefore, we use cookies to assess the effectiveness of our website design.
The Organization's website uses the following cookies:
| Cookie name | Duration | Description |
|---|---|---|
| _ga | 2 years | Used to differentiate users |
| _gid | 24 hours | Used to differentiate users |
| _gat | 10 minutes | Used to control access to the website |
| moove_gdpr_popup | 1 years | Used to store cookie settings |
| wpwpml_current_language | 1 day | Used to save language selection settings |
The storage and operation of cookies is under the full control of the browser used by the user. The browser can restrict or disable the storage of cookies as desired. It can also delete cookies saved by the browser, instructions are located on browser’s websites.
Privacy and data accuracy
The Organization ensures information security and infrastructure security (premises and application system software). Our information systems are protected among others by virus protection programs and a firewall. We have put in place appropriate organizational and technical security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and other illegal and unauthorized processing. In the case of the provision of special personal data, we carry out the transfer in encrypted form, protected by password.
It is your sole responsibility to provide us with your personal data securely and to ensure that the information you provide is accurate and authentic. We strive to ensure that the personal data we process is accurate and, where necessary, updated, so we may contact you from time to time to confirm the accuracy of your personal data.
Natural persons’ data processing rights
According to the General Data Protection Regulation, a natural person has the following rights regarding the protection of personal data:
- You can request information about whether we have personal data about you and, if so, what information we hold and on what basis we store it and what we use it for
- You may request access to your personal data so that you can obtain a copy of the personal data we hold and verify that we are processing it lawfully.
- - You can request the adjustment of personal data, such as the correction of incomplete or inaccurate personal data.
- You can request the deletion of your personal data if there is no reason for further processing or if you wish to exercise your right to object to further processing.
- You may object to the further processing of your personal data if we rely on our legitimate business interest (even in the case of legitimate interest of a third party) if there are reasons related to your particular situation; without prejudice to the provisions of the previous sentence, you have the right to object at any time to the processing of your personal data if we are processing them for direct marketing purposes.
- You may restrict the processing of your personal data, which means that you can disable the processing of your personal data, for example, if you want us to review their accuracy or check the reasons for further processing.
- You may request the transfer of your personal data in a structured electronic form to another data controller, if this is possible and feasible.
- You may withdraw your consent or approval to the collection, processing and transfer of your personal data for a specific purpose. When we receive notice that you have withdrawn your consent, we will stop processing your personal data for the purposes originally agreed to by you, unless we have other legal basis not to do so.
Access to and enforcement of your rights regarding your personal data is free of charge. However, we may charge a reasonable fee if the request of the natural person to whom the personal data relate is clearly unfounded or excessive, especially if the request is repeated. In this case, the request may be denied.
When exercising your rights under this title, we may request certain information from you for the purpose of verifying your identity, only as a security measure to ensure that personal information does not reach unauthorized persons.
To exercise your rights under this title, the Information Commissioner's form is available on their website at the following link: https://www.ip-rs.si/fileadmin/user_upload/doc/obrazci/ZVOP/Zahteva_za_seznanitev_z_lastnimi_osebnimi_podatki__Obrazec_SLOP_.doc
In the event that you believe that your rights have been infringed, or if you need assistance, contact the supervisory authority for data protection or the Information Commissioner. Link: https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/prijava-krsitev/
If you have any questions about the handling of your personal information, you can contact us at any time.
Communication of changes
Any changes to our privacy policy will be posted on our website. By using the website, the natural person agrees to accept and agree to the full content of the personal data privacy policy
The Privacy Policy was adopted by Metka Fujs, Director, on September 23, 2019